7 Dark Pattern für Cookie-Banner inkl. rechtlicher Einordnung
Cookie banners are ubiquitous, greeting users on almost every website. For businesses, they are a necessary evil to comply with GDPR regulations.
However, there is a significant problem – up to 70% of visitors ignore the banners or do not give consent. Without consent, many website features are disabled or hidden behind what is called a 2-click solution. Often, these features are rarely or never used by visitors, resulting in decreased website performance, shorter visit durations, and higher bounce rates.
It, therefore, makes sense to do everything possible to ensure that a large number of visitors click “Accept.” This is achieved through manipulative designs – known as dark patterns. In this article, we have listed the most common dark patterns along with a legal assessment. Although about 80 percent of sites use these practices, many of them are not allowed. (Source)
Dark Pattern 1: Pre-selected Boxes for Visitors
Status: This is not GDPR-compliant.
Description:
Essential cookies are allowed and can be selected. It may be tempting to pre-select other categories as well. This would likely result in more visitors consenting to functional cookies, which are necessary for many features of a modern website. With the combination of “Accept All” and “Save Settings” buttons, visitors could easily give their consent. However, remember: this practice is not allowed in the EU.
Dark Pattern 2: Misclassified Cookies
Status: This is not GDPR-compliant.
Description:
If the first trick with pre-selected boxes doesn't work, perhaps try declaring essential functionalities as essential? Clearly, this isn't allowed.
The big issue with essential cookies is that only a very, very few are permitted.
- Analytics? Nope. Not essential. Your Google Analytics has to stay out.
- Videos? Haha. No, especially not if using Vimeo, YouTube, or Wistia. Also not allowed with YouTube NoCookie or Vimeo DoNotTrack.
- Anything involving advertising? The Meta or Google Pixel? Uh, no. Obviously not.
- Your CRM? Clearly... not essential.
... and unfortunately, the list goes on.
Dark Pattern 3: No Decline Option on the First Screen
Status: This is not GDPR-compliant.
Description: A common sight is cookie banners where the option to decline all cookies is not immediately available. Instead, it is hidden behind a 'settings' button or similar. This significantly increases opt-out rates, as fewer visitors are willing to navigate through the cumbersome process. Importantly, the opt-out option must be as easy to access as the opt-in option, which means it must be prominently displayed on the first screen.
Dark Pattern 4: Making the Decline Button Inconspicuous and Hide it
Status:
This is not GDPR-compliant.
Description:
If the opt-out option must be on the first screen, some might try to make it so unobtrusive that it's barely noticeable. Visitors typically do not want to spend a lot of time looking at banners and will often choose one of the more prominent buttons. Such a design may increase the acceptance rate of cookies. However, this is not allowed - as explained in Dark Pattern 3, the decline option must be as accessible and visible as the accept option.
Dark Pattern 5: Making the Decline Button Less Prominent
Status:
Acceptable in some EU countries.
Description: Are we entering a gray area where some manipulation might be permissible? Well, sort of. Following the current logic, the next step involves the design of the two buttons: Accept and Decline. This is marginally acceptable in some EU countries. Check our source at the end of the article for details.
Dark Pattern 6: Repeatedly Displaying the Cookie Banner to Visitors Who Have Declined
Status: Acceptable in some EU countries.
Description:
Simply not saving when someone has refused can be a strategy. If visitors come regularly, they may eventually get annoyed enough to agree. This process of repeatedly asking is known as "nudging".
Of course, storing the response in a cookie banner is part of essential technologies, so it's allowed and there's no reason not to do it. However, it might not be very pleasant for your visitors to be annoyed every time they visit your site, is it?
Dark Pattern 7: "Sticky" Cookie Banner with Implied Consent on Use
Status: You guessed it ... not okay.
Description:
This is a tactic that has been observed over an extended period. A banner that sticks to the bottom of a webpage ("sticky") sometimes states that continued use of the website implies consent.
There are two key points to consider: Automatic consent is not acceptable. A sticky banner in itself does not necessarily violate the General Data Protection Regulation (GDPR). However, it is crucial that no interaction with the banner is construed as rejection. You have to ensure nothing is loaded before the visitors agree. No Google Analytics before that, no YouTube ...
Typically, such a banner results in a much higher rejection rate, as most visitors simply ignore it.
Example: How Cookie Banners Should Be Designed in Practice
The core message in designing cookie banners is simple: Any pressure on visitors to consent is not acceptable.
A "Best Practice" for cookie banners has been developed by ConPolicy in collaboration with organizations like CookieFirst, Access Now, Telefonica, and the BMUV. Details of this initiative can be viewed here (German).
What you need:
- Equivalent Options: There should be a straightforward option to consent to all cookies as well as to reject all.
- Customizable Consent: An option to customize consent should be provided. This can be on the first screen, but it is not mandatory.
- Close = Deny: If an option to close the banner is offered, it should be equivalent to selecting "deny all."
Further Details and Sources
We often refer to the report from Summer 2024, "noyb's Consent Banner Report: How authorities actually decide" which can be found here. This report illustrates how authorities make decisions. However, it is always recommended to discuss the chosen option with data protection experts to ensure compliance.
The Best Cookie Banner Design: No Cookie Banner at All
Yes, it's sometimes hard to implement, but nobody forces you to have a cookie banner. The key here is to use cookie-free and consent-free tools.
There are alternatives for many services that do not require GDPR consent. They are designed not to work with your visitors' personal data.
Example:
- For videos. Uh, us! Ignite is privacy-first and consent-free, making it an excellent alternative to YouTube, Vimeo, Wistia, etc.
- An alternative to Google Analytics could be "Plausible" or "SimpleAnalytics".
- An alternative to Google's ReCaptcha is Friendly Captcha. etc.
Once you have a service that requires consent, you'll need the cookie banner again. But that shouldn't stop you from replacing providers, after all, the tools then work for all visitors, not just those who consent.
Especially with videos, this effect is very noticeable. You've spent a lot of money producing your videos; hiding them behind 2-click solutions makes no sense. The more people who actually see your videos, the better.
Video-Hosting in Europe
To empower brands to realize the full potential of their video content, we made video hosting & streaming cookie- and consent-free. GDPR-compliant, hosted in Europe & easy to integrate. Made for Europe.